Additional Materials:

Contact:

Critical infrastructure protection (CIP) activities called for in federal policy and law are intended to enhance the security of the public and private infrastructures that are essential to our nation's security, economic security, and public health and safety. Effective information-sharing partnerships between industry sectors and government can contribute to CIP efforts. Federal policy has encouraged the voluntary creation of information sharing and analysis centers (ISAC) to facilitate infrastructure sector participation in CIP information sharing efforts. GAO was asked to identify actions that the Department of Homeland Security (DHS) could take to improve the effectiveness of CIP information-sharing efforts.

Federal awareness of the importance of securing the nation's critical infrastructures--and the federal government's strategy to encourage cooperative efforts among state and local governments and the private sector to protect these infrastructures--have been evolving since the mid-1990s. Federal policy continues to emphasize the importance of the ISACs and their information-sharing functions. In addition, federal policy established specific responsibilities for DHS and other federal agencies involved with the CIP sectors. The ISACs have identified challenges requiring further federal action, including building trusted relationships; developing processes to facilitate information sharing; overcoming barriers to information sharing; clarifying the roles and responsibilities of the various government and private-sector entities that are involved in protecting critical infrastructures; and funding ISAC operations and activities. A lthough DHS has taken a number of actions to implement the public/private partnership called for by federal CIP policy, it has not yet developed a plan that describes how it will carry out its information-sharing responsibilities and relationships. Such a plan could encourage improved information sharing among the ISACs, other CIP entities, and the department by clarifying the roles and responsibilities of all the entities involved and clearly articulating actions to address the challenges that remain. DHS officials indicated that they intend to develop an information-sharing plan, but no specific time frame for completing the plan has been established. The department also lacks policies and procedures to ensure effective coordination and sharing of ISAC-provided information among the appropriate components within the department. Developing policies and procedures would help ensure that information is effectively and efficiently shared among its components and with other government and private-sector CIP entities.

Recommendations for Executive Action

Status: Closed - Implemented

Comments: In the 2006 National Infrastructure Protection Plan (NIPP), DHS outlined a clear description of the roles and responsibilities of the Department, the information sharing and analysis centers, the sector coordinators, and the sector-specific agencies and actions designed to address information-sharing challenges. Specifically, the NIPP detailed DHS' network approach to information sharing. The new method provides DHS with the ability to share information with government and private sector security partners both vertically and horizontally, as well as enhanced capability for decentralized decision-making and actions. The primary objective of the new approach to information sharing is to enhance situational awareness and maximize the ability of security partners at all levels to assess risks and execute risk-mitigation programs and activities. Under the network approach DHS' Network Operations Center (NOC), serves as the Nation's hub for domestic incident management operational coordination and situational awareness. The NOC is a standing 24/7 interagency organization fusing law enforcement, national intelligence, emergency response, and private sector reporting. The NOC facilitates homeland security information-sharing and operational coordination among DHS and the ISACs, the sector coordinators, and the sector-specific agencies and actions designed to address information-sharing challenges.

Recommendation: To help improve the effectiveness of DHS's information-sharing efforts with the ISACs and others, the Secretary of Homeland Security should direct officials within the Information Analysis and Infrastructure Protection (IAIP) Directorate to proceed with and establish milestones for the development of an information-sharing plan that includes (1) a clear description of the roles and responsibilities of DHS, the ISACs, the sector coordinators, and the sector-specific agencies and (2) actions designed to address information-sharing challenges. Efforts to develop this plan should include soliciting feedback from the ISACs, sector coordinators, and sector-specific agencies to help ensure that challenges identified by the ISACs and the ISAC Council are appropriately considered in the final plan.

Comments: Consistent with our recommendation, DHS developed two policies for interacting with ISACs, sector coordinators, and sector-specific agencies and for coordination and information sharing within directorates and other DHS components that may interact with the ISACs, including TSA. The first policy, which was issued in February 2007, called for all DHS components to provide department directorates responsible for information analysis and infrastructure protection access to all potential terrorism, homeland security, law enforcement, and related information, including foreign intelligence information. Likewise, the policy also called for the directorates to share their potential terrorism and related information with the components. The second policy, which was issued in March 2007 and is referred to as the Critical Infrastructure and Key Resources (CI/KR) Information Sharing Environment policy, specified how DHS would share information with the critical infrastructure sectors. It stated that the National Infrastructure Coordination Center (NICC) would provide a centralized mechanism and processes for coordination and delivery of information between the government and the CI/KR sectors, ISACs, sector coordinators, and sector-specific agencies. The policy also stated that the NICC would serve as a DHS focal point for CI/KR suspicious activity, incident and status reporting. These policies should help DHS strengthen its information sharing within the department and between the department and the critical infrastructure sectors.

Recommendation: To help improve the effectiveness of DHS's information-sharing efforts with the ISACs and others, the Secretary of Homeland Security should direct officials within the IAIP Directorate to, considering the roles, responsibilities, and actions established in the information-sharing plan, develop appropriate DHS policies and procedures for interacting with ISACs, sector coordinators, and sector-specific agencies and for coordination and information sharing within the IAIP Directorate (such as the National Cyber Security Division and Infrastructure Coordination Division) and other DHS components that may interact with the ISACs, including TSA.